I am wondering, there are a few files I have kept outside of the root directory in a different directory and I am trying to use a HTML form to post info to a php file that sits OUTSIDE the root directory
Is that possible? If so, how?
Asked
Active
Viewed 9,507 times
4 Answers
7
Make a proxy script... something which is inside the web directory, but all it does is include the appropriate "protected" file:
DOCROOT/form_handler.php
<?php
include "../secret/form_handler.php";
DOCROOT/form.html
...
<form action="form_handler.php">
...
This is, in fact, how many sites are setup (in essence at least). It is typical to place most of your scripts outside the DOCROOT like this for in the rare case where Apache or similar does not parse your PHP (i.e. if it is misconfigured), it doesn't inadvertently send your source code.
Chris Trahey
- 18,202
- 1
- 42
- 55
-
How would I use HTML form to post to that though? – Kalcoder Jul 09 '12 at 07:37
-
@Kalcoder: You'd need to make a file that is visible from the `public_html` directory, and make your form post to that. The only way you're going to get a file outside of the webroot to execute, is by including it from a file that is inside the webroot. - Or maybe with some fancy webserver configuration. – Leigh Jul 09 '12 at 07:41
-
Good point @Leigh, this *is* possible with mod_rewrite (substitutions can be filesystem paths). If you are interested, you should submit that as an answer :-) – Chris Trahey Jul 09 '12 at 07:51
-
I need to be able to pass the info from a HTML form post to a php file that is in a folder on the same level as public_html, so in essence, posting not to a php file within public_html, is that possible? – Kalcoder Jul 09 '12 at 08:21
-
then mod_rewrite is probably the only solution, map the notphp file from the form action on the php file in your php folder, as suggested above – ivoba Jul 09 '12 at 10:31
3
On my website, every form I start with this code:
<form action="action" method="post">
<input type="hidden" name="i-action" value="do-whatever" />
This avoids the need for multiple proxy scripts because action.php will use the value of the hidden field to determine which php file should be called. Don't call the hidden field action if you post the form using Ajax because it can cause a conflict. Also, I have set the .htaccess file to remove the php extension, so you may need to add .php to action in your HTML code.
Here is action.php:
if (!empty($_POST['i-action']))
{
$action = str_replace('.', '', $_POST['i-action']);
$action = str_replace('/', '', $action);
if (file_exists("../secret/directory/structure/$action".'.php'))
require_once("../secret/directory/structure/$action".'.php');
}
I used str_replace to ensure hackers can't traverse to a different directory.
Dan Bray
- 7,242
- 3
- 52
- 70
1
Yes it is posible. That directory should be hosted as separate site and then you can give absolute URL of the file as form action
Chamika Sandamal
- 23,565
- 5
- 63
- 86
-
2that's not what he's asking for. Also "yes it's possible" is the worst kind of answer. – Leigh Jul 09 '12 at 07:10
-
2
0
The file must be accesible from the web.
If "outside of Root" directory means outside of DocumentRoot, this wont be possible.
You could have a basic Controller in DocumentRoot which includes or dispatchs the action.
ivoba
- 5,780
- 5
- 48
- 55
-
What if it was within the document root but just not in public_html ? – Kalcoder Jul 09 '12 at 07:14
-
the file must be called from the web, so if you can call it, like f.e. /onedirunderdocumentroot/form.php you can use it. usually public_html is document_root, so everything below it can be accessed. – ivoba Jul 09 '12 at 07:22